This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 15%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello.
It's some time I notice clients apply some group policy after a high delay and at times they don't even get applied. In particular a policy that adds Shared Printers.
Yesterday I noticed that three (out of six) DCs are always in status "replication in progress"
Could somebody please help me out?
Thank you and best regards.
Roberto
Anybody on this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Roberto ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello @Roberto ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hi @Daisy Zhou
Hi @Dave Patrick
Sorry for getting back to you late.
Unfortunately I have not understood what was the cause of this problem.
Anyways, here's how I solved it.
On the PDC:
1) copy/paste of the policies (about 10) that were not in sync
2) deleted the original policies and renamed the new to the original name
Now all policies are in sync.
Thank you and best regards.
Roberto
Hello @Roberto ,
Thank you for your update. I am very glad that the problem has been solved.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
You can try a non authoritative synchronization
https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo
or simply move roles off, demote, reboot, promo it again if tombstoned. The event log should have more details.
--please don't forget to Accept as answer if the reply is helpful--
Any progress or updates?
--please don't forget to Accept as answer if the reply is helpful--
Thank you for your suggestion.
Before going that way, I'll try some debugging as suggested by @Daisy Zhou
Best regards.
Roberto
Hello @Roberto ,
Thank you for your update.
If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou
Hello @Roberto ,
Thank you for posting here.
Based on the description, I understand you have one domain with five DCs.
Before we troubleshoot SYSVOL DFSR replication issue, we must check whether AD replication between the five DCs works fine.
If there is any issue about AD replication between all the five DCs, we should fix AD replication issue first, then trouble SYSVOL DFSR replication issue.
If AD replication between all the five DCs works fine, then if there is indeed SYSVOL DFSR replication issue, we can troubleshoot SYSVOL DFSR replication issue.
Check AD replication status:
1.On the PDC, run the command below to force AD replication immediately and check if there is any error message.
repadmin /syncall /AdeP
2.On the PDC, run the three commands below to check there is any error message in the result.
repadmin /showrepl >c:\rep1.txt
repadmin /replsum >c:\rep2.txt
repadmin /showrepl * /csv >c:\repsum.csv
If all the results of the four commands above are OK without any error message, it means AD replication in your AD environment is OK.
Then check SYSVOL DFSR replication issue:
1.On all DCs, we can check if the number of the items under C:\Windows\SYSVOL\domain\Policies is the same or not.
2.If the number of the items under C:\Windows\SYSVOL\domain\Policies on the three DC you mentioned is not the same as baseline DC (SV-102-DC).
Tip: the number of the items under C:\Windows\SYSVOL\domain\Policies is the largest on baseline DC.
3.It means SYSVOL DFSR replication on the three DCs is not in sync.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hi @Daisy Zhou
Here's what I did:
C:\Users\administrator.CPT>netdom /query fsmo
Schema master SV-118-DC.CPT.local
Domain naming master SV-102-DC.CPT.local
PDC SV-102-DC.CPT.local
RID pool manager SV-102-DC.CPT.local
Infrastructure master SV-102-DC.CPT.local
The command completed successfully.
so, sv102-dc is the PDC.
on the PDC:
Now checking the quantity of items in DFSRfolder
sv-102-dc: 157 items
sv-104-dc: 157 items
sv-106-dc: 157 items
sv-108-dc: 157 items
sv-118-dc: 157 items
sv-gcpt: 157 items
All DCs have 157 items on that folder.
Any more debugging hints?
Thank you and best regards.
Roberto
You can try a non authoritative synchronization
https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo
or simply move roles off, demote, reboot, promo it again.
--please don't forget to Accept as answer if the reply is helpful--
Any progress or updates?
--please don't forget to Accept as answer if the reply is helpful--
Hello @Roberto ,
I am sorry for the late reply.
Thank you so much for your update.
And from the information you have checked and provided, it seems or I can see:
1.The AD replication in your domain works fine
2.The SYSVOL folder is synchronized (the number of items in the same path on all DCs is the same--157).
Now based on the error message, we can compare the permissions of one GPO on baseline DC (SV-102-DC) and another DC (sv-108-dc)
1.Find the GPO with the following GUID on both DC.
2.Right click this GPO and select Properties.
3.Security tab and Advanced button and compare "Permission entries".
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.